SSHReverseTunnel Class
Properties Methods Events Configuration Settings Errors
The SSHReverseTunnel class provides a simple way to establish a reverse tunnel with a SSH host.
Syntax
class ipworksssh.SSHReverseTunnel
Remarks
The SSHReverseTunnel class may be used to establish a reverse tunnel with a SSH host. The SSH host will listen for incoming connections on the specified port and forward traffic to the class through the SSH tunnel.
The ssh_host and ssh_port properties specify the SSH server to use. The ssh_user and ssh_password properties allow the client to authenticate itself with the server. The on_ssh_server_authentication event and/or ssh_accept_server_host_key property allow you to check the server identity. Finally, the on_ssh_status event provides information about the SSH handshake.
To begin call ssh_logon to connect to the SSH host. After this method returns the connection to the SSH server has been successfully established. To establish a reverse tunnel call request_forwarding. This method takes parameters to tell the SSH host on which port to listen.
The class has two modes that allow data to be dealt with directly from the events, or automatically forwarded on to a different endpoint.
Event Based Operation
In this mode any data received by the class over the tunnel causes the events of the class to fire. For instance:
SSHReverseTunnel.RequestForwarding("0.0.0.0",777,"",0);
In the above code forwarding is request from port 777 on the ssh_host. Any data received on port 777 by the ssh_host will be sent to the class. In the above code the last two parameters are empty or 0 indicating to the class that no local forwarding is requested.
Once request_forwarding returns the SSH reverse tunnel is established and any connection made to the SSH host on the specified port will trigger events of the class to fire allowing you to handle the connection request and data.
When a client connects to the SSH host on the specified port the on_ssh_channel_open_request event will fire. Within this event choose to accept or reject the connection by setting the e.Accept parameter. This event contains details about the connection that may be used when determining whether to accept the connection.
After the channel is established data is received through the on_ssh_channel_data event. To send data over the channel call the send_channel_data method. To close the channel call the close_channel method.
Local Forwarding
In this mode the any data received by the class is automatically forwarded to a separate endpoint.
This allows the class to act as a sort of proxy. There is no need to handle data directly in this case.
For instance:
SSHReverseTunnel.RequestForwarding("0.0.0.0",777,"nsoftware.com",80);
In the above code forwarding is request from port 777 on ssh_host. The class is instructed to establish a connection to "nsoftware.com" on port 80 when a client connect to ssh_host on port 777. Any data received from the client connected to ssh_host on port 777 will automatically be forwarded to "nsoftware.com" on port 80. Any data received back from "nsoftware.com" on port 80 will be sent back to the connected client.
In this mode data may flow freely from the client connected to the ssh_host to the endpoint specified in the request_forwarding method without any additional code required.
Additional Notes
The following events are applicable when a connection is made to the SSH host:
- on_ssh_channel_closed
- on_ssh_channel_data
- on_ssh_channel_eof
- on_ssh_channel_opened
- on_ssh_channel_open_request
- on_ssh_channel_ready_to_send
- on_ssh_channel_requested
To stop a previously established reverse tunnel call the cancel_forwarding method.
Property List
The following is the full list of the properties of the class with short descriptions. Click on the links for further details.
| ssh_channel_count | The number of records in the arrays. |
| bytes_sent | The number of bytes actually sent after a sending channel data. |
| channel_id | An id generated by the class to identify the current SSH channel. |
| connected_address | This property holds the remote address to which the connection was established. |
| connected_port | This property holds the remote port to which the connection was established. |
| data_to_send | A string of data to be sent to the remote host. |
| forwarding_host | Holds the host to which incoming traffic is forwarded. |
| forwarding_port | Holds the port to which incoming traffic is forwarded. |
| origin_address | This property holds the address of the client which originated the connection to the reverse tunnel on SSHHost . |
| origin_port | This property holds the port used by the client which originated the connection to the reverse tunnel on SSHHost . |
| service | This property holds the channel type that was requested when opening the channel. |
| connected | Triggers a connection or disconnection. |
| firewall_auto_detect | This property tells the class whether or not to automatically detect and use firewall system settings, if available. |
| firewall_type | This property determines the type of firewall to connect through. |
| firewall_host | This property contains the name or IP address of firewall (optional). |
| firewall_password | This property contains a password if authentication is to be used when connecting through the firewall. |
| firewall_port | This property contains the TCP port for the firewall Host . |
| firewall_user | This property contains a user name if authentication is to be used connecting through a firewall. |
| local_host | The name of the local host or user-assigned IP interface through which connections are initiated or accepted. |
| local_port | The TCP port in the local host where the class binds. |
| ssh_accept_server_host_key_encoded | The certificate (PEM/base64 encoded). |
| ssh_auth_mode | The authentication method to be used the class when calling SSHLogon . |
| ssh_cert_encoded | The certificate (PEM/base64 encoded). |
| ssh_cert_store | The name of the certificate store for the client certificate. |
| ssh_cert_store_password | If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store. |
| ssh_cert_store_type | The type of certificate store for this certificate. |
| ssh_cert_subject | The subject of the certificate used for client authentication. |
| ssh_compression_algorithms | A comma-separated list containing all allowable compression algorithms. |
| ssh_encryption_algorithms | A comma-separated list containing all allowable encryption algorithms. |
| ssh_host | The address of the SSH host. |
| ssh_password | The password for SSH password-based authentication. |
| ssh_port | The port on the SSH server where the SSH service is running; by default, 22. |
| ssh_user | The username for SSH authentication. |
| timeout | A timeout for the class. |
Method List
The following is the full list of the methods of the class with short descriptions. Click on the links for further details.
| cancel_forwarding | Requests the server to stop forwarding a remote TCP/IP port. |
| close_channel | Closes a existing SSHChannel . |
| config | Sets or retrieves a configuration setting. |
| decode_packet | Decodes a hex-encoded SSH packet. |
| do_events | Processes events from the internal message queue. |
| encode_packet | Hex encodes an SSH packet. |
| exchange_keys | Causes the class to exchange a new set of session keys with the SSHHost . |
| get_ssh_param | Used to read a field from an SSH packet's payload. |
| get_ssh_param_bytes | Used to read a field from an SSH packet's payload. |
| request_forwarding | Requests the server to forward a remote TCP/IP port. |
| reset | Reset the class. |
| send_channel_data | Used to send regular data over an SSH channel. |
| set_ssh_param | Used to write a field to the end of a payload. |
| ssh_logoff | Logoff from the SSH server. |
| ssh_logon | Logon to the SSHHost using the current SSHUser and SSHPassword . |
Event List
The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.
| on_connected | Fired immediately after a connection completes (or fails). |
| on_connection_status | Fired to indicate changes in connection state. |
| on_disconnected | Fired when a connection is closed. |
| on_error | Information about errors during data delivery. |
| on_log | Fires once for each log message. |
| on_reconnect_attempt | Fires when attempting to reconnect. |
| on_ssh_channel_closed | Fired when a channel is closed. |
| on_ssh_channel_data | Fired when the SSHHost sends channel data to the client. |
| on_ssh_channel_eof | Fired when the remote peer signals the end of the data stream for the channel. |
| on_ssh_channel_opened | Fired when a channel is successfully opened. |
| on_ssh_channel_open_request | Fired when the peer attempts to open a new channel. |
| on_ssh_channel_ready_to_send | Fired when the class is ready to send data. |
| on_ssh_channel_request | Fired when the SSHHost sends a channel request to the client. |
| on_ssh_channel_requested | Fired if the SSHChannelRequest was successful, any further processing for the channel request should be done here. |
| on_ssh_custom_auth | Fired when the class is doing custom authentication. |
| on_ssh_keyboard_interactive | Fired when the class receives a request for user input from the server. |
| on_ssh_server_authentication | Fired after the server presents its public key to the client. |
| on_ssh_status | Shows the progress of the secure connection. |
Configuration Settings
The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.
| AutoReconnect | Whether to automatically reestablish the SSH connection. |
| DefaultChannelIdleTimeout | The inactivity timeout for channels. |
| ForwardedPort | The remote port which is forwarded. |
| ForwardingLocalHost | The interface on which to bind when forwarding data. |
| MaxRetryCount | The maximum number of retries when reconnecting. |
| RetryInterval | The interval in seconds between reconnect attempts. |
| ClientSSHVersionString | The SSH version string used by the class. |
| EnablePageantAuth | Whether to use a key stored in Pageant to perform client authentication. |
| KerberosDelegation | If true, asks for credentials with delegation enabled during authentication. |
| KerberosRealm | The fully qualified domain name of the Kerberos Realm to use for GSSAPI authentication. |
| KerberosSPN | The Kerberos Service Principal Name of the SSH host. |
| KeyRenegotiationThreshold | Sets the threshold for the SSH Key Renegotiation. |
| LogLevel | Specifies the level of detail that is logged. |
| MaxPacketSize | The maximum packet size of the channel, in bytes. |
| MaxWindowSize | The maximum window size allowed for the channel, in bytes. |
| PasswordPrompt | The text of the password prompt used in keyboard-interactive authentication. |
| PreferredDHGroupBits | The size (in bits) of the preferred modulus (p) to request from the server. |
| RecordLength | The length of received data records. |
| ServerSSHVersionString | The remote host's SSH version string. |
| SignedSSHCert | The CA signed client public key used when authenticating. |
| SSHAcceptAnyServerHostKey | If set the class will accept any key presented by the server. |
| SSHAcceptServerCAKey | The CA public key that signed the server's host key. |
| SSHAcceptServerHostKeyFingerPrint | The fingerprint of the server key to accept. |
| SSHFingerprintHashAlgorithm | The algorithm used to calculate the fingerprint. |
| SSHFingerprintMD5 | The server hostkey's MD5 fingerprint. |
| SSHFingerprintSHA1 | The server hostkey's SHA1 fingerprint. |
| SSHFingerprintSHA256 | The server hostkey's SHA256 fingerprint. |
| SSHKeepAliveCountMax | The maximum number of keep alive packets to send without a response. |
| SSHKeepAliveInterval | The interval between keep alive packets. |
| SSHKeyExchangeAlgorithms | Specifies the supported key exchange algorithms. |
| SSHKeyRenegotiate | Causes the class to renegotiate the SSH keys. |
| SSHMacAlgorithms | Specifies the supported Mac algorithms. |
| SSHPubKeyAuthSigAlgorithms | Specifies the enabled signature algorithms that may be used when attempting public key authentication. |
| SSHPublicKeyAlgorithms | Specifies the supported public key algorithms. |
| SSHVersionPattern | The pattern used to match the remote host's version string. |
| TryAllAvailableAuthMethods | If set to true, the class will try all available authentication methods. |
| WaitForChannelClose | Whether to wait for channels to be closed before disconnected. |
| WaitForServerDisconnect | Whether to wait for the server to close the connection. |
| ConnectionTimeout | Sets a separate timeout value for establishing a connection. |
| FirewallAutoDetect | Tells the class whether or not to automatically detect and use firewall system settings, if available. |
| FirewallHost | Name or IP address of firewall (optional). |
| FirewallPassword | Password to be used if authentication is to be used when connecting through the firewall. |
| FirewallPort | The TCP port for the FirewallHost;. |
| FirewallType | Determines the type of firewall to connect through. |
| FirewallUser | A user name if authentication is to be used connecting through a firewall. |
| KeepAliveInterval | The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received. |
| KeepAliveTime | The inactivity time in milliseconds before a TCP keep-alive packet is sent. |
| Linger | When set to True, connections are terminated gracefully. |
| LingerTime | Time in seconds to have the connection linger. |
| LocalHost | The name of the local host through which connections are initiated or accepted. |
| LocalPort | The port in the local host where the class binds. |
| MaxLineLength | The maximum amount of data to accumulate when no EOL is found. |
| MaxTransferRate | The transfer rate limit in bytes per second. |
| ProxyExceptionsList | A semicolon separated list of hosts and IPs to bypass when using a proxy. |
| TCPKeepAlive | Determines whether or not the keep alive socket option is enabled. |
| TcpNoDelay | Whether or not to delay when sending packets. |
| UseIPv6 | Whether to use IPv6. |
| AbsoluteTimeout | Determines whether timeouts are inactivity timeouts or absolute timeouts. |
| FirewallData | Used to send extra data to the firewall. |
| InBufferSize | The size in bytes of the incoming queue of the socket. |
| OutBufferSize | The size in bytes of the outgoing queue of the socket. |
| BuildInfo | Information about the product's build. |
| CodePage | The system code page used for Unicode to Multibyte translations. |
| LicenseInfo | Information about the current license. |
| ProcessIdleEvents | Whether the class uses its internal event loop to process events when the main thread is idle. |
| SelectWaitMillis | The length of time in milliseconds the class will wait when DoEvents is called if there are no events to process. |
| UseInternalSecurityAPI | Tells the class whether or not to use the system security libraries or an internal implementation. |